2 Answers
2

Snort supports several output formats for the Log Parser where CSV format is mostly used. To configure Snort to use the CSV output format add the following line in the snort.conf file:

output alert_csv: alert.csv default

There are by default 28 fields available for log analysis that include timestamp, sig_generator, sig_id, sig_rev, msg, proto etc. For understanding Snort Log Management i recommend to read "Managing Snort Alerts"

Basically, snort observes network packet traffic. It can be configured to log and/or report on any information that is available from the network packet. In most cases it is only trapping on frame and header data, but it can also be used for a fairly robust set of deep packet inspection (DPI) functions. DPI allows you to sort/track/trap/etc based on information actually inside of the packet in addition to your snort rule set. For a complete set of features check out the snort documentation at http://www.snort.org/docs. The FAQ is also quite useful for this type of question.